1. Technical Field
The invention relates to the field of network security. In particular, the invention relates to a method, a server infrastructure and a network system enabling secure user and data authentication using a network client having access via a card reader to a smart card.
2. Description of the Prior Art
In recent years, an increasing number of novel applications like secure payment services and secure authentication services have become card-based. Today, there is a migration from cards using magnetic stripes to smart card technology, also known as integrated circuit (IC) or chip card technology. For example, nearly half of all bank cards currently circulating in Europe are already chip based and the percentage of chip based bank cards is steadily increasing.
The industry is taking advantage of the additional security offered by smart cards in ensuring a compatible secure infrastructure available for home devices. By using smart cards within the home environment, secure payment and authentication services can be offered to consumers, boosting remote services like e-commerce. Along with the field of e-commerce also additional domains like home-banking, security services and also e-government require the use of a secure and trustworthy smart card infrastructure.
Such a smart card infrastructure necessarily comprises a smart card on which a signature key is stored in combination with a secure smart card reader like the card reader specified in the workshop agreement CWA 14174 of the European Committee for Standardization (CEN). A main target of this FINREAD (FINancial transactional IC card READer) initiative is to specify a smart card reader that provides security to many different types of applications. Consequently, the FINREAD card reader does not only support smart cards issued by banks but also smart cards issued for non-financial applications.
In view of the fact that a personal computer acts as a target for virus and Trojan horse attacks, the FINREAD card reader provides an additional level of security to make the personal computer or another consumer access device part of a secure and trusted environment. All processing within a specific scheme, that is related to a trusted handling, will only be processed through the FINREAD card reader. This ensures that any necessary information can authentically be acknowledged by the consumer.
Authentication of the FINREAD card reader is specified in chapter 10 of the CEN workshop agreement “Financial transactional IC card reader (FINREAD)—part 2: Functional requirements” (Ref. No. CWA 14174-2:2001 E) of July 2001. The main target of the FINREAD card reader authentication function is to allow a service provider like a financial institution or payments scheme to authenticate the origin of data sent by a FINREAD card reader. This function protects against a fake card reader sending data as a FINREAD unit and also against denying that an authenticated message was sent with a FINREAD card reader. The FINREAD card reader authentication function is based on a unique identification number possessed by every FINREAD card reader in addition to the capability of signing with a unique private key. The private key is stored in a tamper resistant security module of the FINREAD card reader that keeps all confidential information in a secure environment.
A main feature of the FINREAD card reader is a user interface which is described in chapter 7 of the above CEN workshop agreement. The user interface comprises a display that is used to inform the card holder. Since on the basis of the displayed information the card holder decides whether or not displayed data will be submitted to the smart card for signature generation, the FINREAD card reader has to ensure that any information on the display is reliable. To protect the display of the FINREAD card reader from external attacks, the FINREAD card reader prevents user equipment like a personal computer from sending information directly to the display.
Besides the display the user interface comprises a key pad. The key pad allows the user to communicate with the FINREAD card reader and in particular to enter information requested by applications running for example on the card reader. In fact the key pad is the only means to enter data in a trusted way.
According to “Financial transactional IC card reader (FINREAD)—part 3: Security requirements” (Ref. No. CWA 14174-3:2001 E) of July 2001, chapter 6.3, FINREAD card reader authentication is cryptographically linked to a specific transaction and, if the authentication functionality is needed, it is activated during the transaction. During FINREAD card reader authentication, a digital signature with the card reader's private key is calculated. More specifically, data to be signed are provided to the security module of the FINREAD card reader for signature calculation with the private key. To have a consistent authentication function, the unique identification number is also included in the data signed.
Departing from applications like e-commerce, e-banking or e-government requiring the use of a secure and trustworthy smart card reader like the FINREAD card reader or any other card reader, there is a need for a secure user and data authentication procedure. More specifically, there is a need for a method, a computer program product, a server infrastructure and a network system for performing on a higher security level user and data authentication using a card reader in conjunction with a corresponding smart card.